Computer
forensics, also known as digital forensics, is a practice that examines digital
evidence and recovers data to be used in a civil or criminal legal proceeding.
The process of investigating digital evidence must be conducted in a
forensically sound manner to ensure court admissibility. Computer forensics
also provides a means for "e-discovery" or "electronic
discovery", which allows for disclosure of the digital evidence for
parties involved in litigation. Indications of data theft, employee theft,
employee compliance and policy violation, embezzlement, fraud, and other cyber
crimes can be uncovered during a computer forensic examination.
A digital forensic investigation commonly consists of 4
stages: Seizure, acquisition or imaging of exhibits, analysis, and reporting.
Seizure :
Prior to the actual examination digital media will be seized. In criminal cases
this will often be performed by law enforcement personnel trained as
technicians to ensure the preservation of evidence. In civil matters it will
usually be a company officer, often untrained.
Acquisition:
Once exhibits have been seized an exact sector level
duplicate (or "forensic duplicate") of the media is created, usually
via a write blocking device, a process referred to as Imaging or Acquisition.
The duplicate is created using a hard-drive duplicator or software imaging
tools such as DCFLdd, IXimager, Guymager, TrueBack, EnCase, FTK Imager or FDAS.
The original drive is then returned to secure storage to prevent tampering.
Analysis: After acquisition the contents of HDD (image)
files are analyzed to identify evidence that either supports or contradicts a
hypothesis or for signs of tampering (to hide data).In 2002 the International
Journal of Digital Evidence referred to this stage as "an in-depth
systematic search of evidence related to the suspected crime”.
During the analysis an investigator usually recovers evidence
material using a number of different methodologies (and tools), often beginning
with recovery of deleted material. Examiners use specialist tools (EnCase, ILOOKIX,
FTK, etc.) to aid with viewing and recovering data. The type of data recovered
varies depending on the investigation; but examples include email, chat logs,
images, internet history or documents. The data can be recovered from
accessible disk space, deleted (unallocated) space or from within operating
system cache files.
Reporting: When
an investigation is completed the information is often reported in a form
suitable for non-technical individuals. Reports may also include audit
information and other meta-documentation.
Digital
Forensic Requirements:
Physical requirements:
Physical
floor space will be dictated by the size of the group that will occupy it. The
space should be in a secure location or contain appropriate measures that will
stop unauthorized access to the premises. It should have an adjacent and secure
walk-in lock-up vault that can keep intruders from gaining access to its
contents as well as protect the contents from fire/heat, smoke, water, and
electromagnetic emanations (and should generally not be near radio equipment).
The seized equipment, as well as official certified evidentiary copies of
seized data, will be stored in this vault and, with the appropriate enforced
sign-out/in procedures; it will serve to maintain the chain of evidence.
Therefore, access to the vault and its contents should be logged and monitored
at all times. There also needs to be adequate lockable storage space for
various specialized equipment that will, over the course of investigations, be
acquired and used for other investigations. This space must also accommodate
consumables like CDs, DVDs, removable hard drives of various capacities, paper,
toner cartridges, etc.
Hardware requirements:
A number of
computers are required, including a network server with large storage capacity
(preferably configured for the standard removable hard drives). This server
will be used to manage, document and administer cases, store various software
tools, and manage one-off specialist hardware. The hardware that must be
managed will include, for example, devices like Rimage CD production units,
CopyPro floppy disk readers, printers, etc.
The
evidentiary copy of seized data is usually written to CD or DVD and, because of
the large capacity of current hard drives, this can be a time-consuming
process. The Rimage, and other units like it, make it possible to create,
number and label the media unattended, producing as many as 50 CD/DVDs without
intervention. Capturing the contents of floppy disks is even more time
consuming, and devices like the CopyPro can acquire as many as 50 floppy disks
without intervention. The capabilities of these types of devices may vary from
model to model; the two mentioned above are merely examples with specific
capacities.
There should
also be separate Internet connection (NEVER connected to the forensics server).
The Internet will be useful for finding and sharing forensics information and
techniques and for communicating with other forensics professionals. Staying
abreast of developments in this field is a vital part of staying viable in the
forensics arena. The Internet provides one source to help accomplish this need.
There should be a number of workstations that connect to the internal network.
This number will depend on how many forensics people are employed. The workstations
will enable them to work on individual cases simultaneously and have access to
the shared devices and resources. Portable acquisition computers (the kit) will
be required. Ideally, each should be configured identically with the standard
forensics suite of tools and removable hard drives (the same standard hard
drives as above) of various capacities. Each kit should have a robust carrying
case that can accommodate extra hard drives, an array of associated connection
plugs and converters, and a hard drive write blocker such as FastBlock. The
forensic kits will be used for on-site acquisition and/or seizure. It is
usually preferable for acquisition to be undertaken in the controlled
conditions of the laboratory, however there are circumstances where that is not
practical and an evidentiary acquisition must be undertaken on site (for
example, when dealing with an Internet service provider). These kits must also
have an assortment of forms, labels, tags, pens, tape, evidence bags, an
electronic camera, a GPSS, etc, all of which are vital to the process of
seizure and acquisition. There will be an ongoing need to obtain devices,
media, cables, converters, and specialized media readers of various types, both
for experimental purposes and for the acquisition of evidence from media other
than hard drives or floppies (for example, SIMs, flash memory of various
description, iButtons, etc). The hardware and physical premises constitute the
largest outlay of funds. This, however, is an ongoing process and funds must be
allocated regularly for the purchase of new hardware as it finds its way into
the public arena.
Software
Requirements:
Tools and materials can be broken down
into two categories:
·
Reusable: The
reusable components of a response toolkit primarily consist of hardware and
software. Based on the size and complexity of your environment, you will need
varying amounts of the following:
o Forensics duplication and
analysis workstation supporting both IDE and SCSI for disk duplication and
platform on which to run your forensics software
o Forensics software to
perform analysis, gather & document evidence, and in some cases, perform
duplication of drives
o Network sniffer to capture
network traffic for use as an investigative tool, as well as evidence.
o Network cabling for use
with forensic duplication devices and network sniffers
o Hubs for use with network
sniffer and forensic duplication devices. The Hub provides an easy way to
directly connect two or more computer without a crossover cable
o CD or DVD Burner, or other
removable media to store and transport disk images and evidence
o High Capacity IDE and SCSI
drives to store forensic images
o Different types of SCSI
and IDE connectors and cables to ensure that you can connect as many drive
types to your forensic duplication device
o Screwdriver set to take
apart computer chassis to remove hard drives
o Boot disk with forensic
tools for all hardware and OS combinations in your environment to provide a
software based drive duplication solution if local duplication or physical
access to the drive is not possible
o Tools disk with statically
linked executable with basic OS and forensics applications for all hardware and
OS combinations in your environment to provide a safe set of binaries to
perform forensic analysis of a running system
·
Consumable:
o Blank DVD-R or CD-R media
o Evidence labels
o Permanent markers
o Evidence bags
o Note pads
Digital forensic services cover wide
area. Computer Forensics Laboratory is to assist law enforcement agencies to
provide technical assistance, training, and examinations of digital evidence in
support of criminal investigations.
It can conduct the following types of
computer forensic investigation (not limited to):
In
Generally:
·
Child
Pornography & Sexual Exploitation
·
Use
of E-Mail, Instant Messaging, & Chat
·
Computer
Hacking & Network Intrusion
·
Copyright
Infringement
·
Software
Piracy
·
Intellectual
Property Theft
·
Identity
Theft
·
Online
Auction Fraud
·
Credit
Card Fraud
·
Other
Financial Frauds & Schemes
·
Telecommunications
Fraud
·
Threats,
Harassment
·
Extortion
and/or Black Mail
·
Gambling
·
Drug
Abuse and/or Distribution
·
Divorce
·
Adult
Sexual Assault
·
Assault
& Battery
·
Domestic
Violence
·
Death
Investigation
·
Employee
or Employer Misconduct
·
Theft,
Robbery and/or Burglary
In
Corporate:
To determine if intellectual property
has been stolen by departing employees. Employee theft can be devastating to
the health of a business. Occurrences of employee theft, which include stealing
of customer and vendor lists, marketing materials, business plans, and trade
secrets, are growing every year. As a result, civil and criminal litigation for
these types of cyber crimes is also on the rise.
If any company thinks that their client
is a victim of computer fraud, employee misconduct, embezzlement, or abuse
using a computer and if there is any digital evidence available that will
support your case, Digital forensic lab can help regarding this. One of the
most common reasons for failure to prosecute cyber criminals is weak or
inadequate admissible evidence.
Case
Study of Regional Computer Forensics Laboratory (USA):
An RCFL is a one stop, full service
forensics laboratory and training center devoted entirely to the examination of
digital evidence in support of criminal investigations such as—
·
Terrorism
·
Child
Pornography
·
Crimes
of Violence
·
Trade
secret theft
·
Theft
or destruction to intellectual property
·
Financial
crime
·
Property
crime
·
Internet
crimes
·
Fraud
Services
of RCFL:
In 2002, the FBI established the RCFL
National Program Office (NPO) to oversee the operations of the RCFLs, and to
facilitate the creation of new facilities. Additionally, the NPO supports the
laboratories by —
·
Providing
technical assistance to ensure consistent quality management of each laboratory
·
Institutionalizing
the policies, practices, and legal processes regarding the establishment and
governance of RCFLs
·
Cultivating
working relationships between law enforcement, the private sector, academia,
and other government agencies by serving as a national clearinghouse for the
exchange and dissemination of information among these entities
·
Serving
as an advocate for the Program before key constituent groups
·
Working
with the FBI and other government agencies to develop new digital evidence
forensics tools
·
Developing
training curricula for digital evidence Examiners and law enforcement officers
·
Coordinating
and communicating training initiatives and tool development efforts for use by
the law enforcement community.
Forensic Tool
Functionalities:
·
Cloud
Services
·
Deleted
File Recovery
·
Disk
Imaging
·
Email
Parsing
·
File
Carving
·
Forensics
Boot Environment
·
Forensic
Tool Suite (Mac Investigations)
·
Forensic
Tool Suite (Windows Investigations)
·
GPS
Forensics
·
Hardware
Write Block
·
Hash
Analysis
·
Image
Analysis (Graphics Files)
·
Infotainment
& Vehicle Forensics
·
Instant
Messenger
·
Media
Sanitization/Drive Re-use
·
Memory
Capture and Analysis
·
Mobile
Device Acquisition, Analysis and Triage
·
P2P
Analysis
·
Password
Recovery
·
Remote
Capabilities / Remote Forensics
·
Social
Media
·
Software
Write Block
·
Steganalysis
·
String
Search
·
Web
Browser Forensics
·
Windows
Registry Analysis
Forensic
tools approved by NIST:
NIST has a project called “Computer
Forensics Tool Testing Project”. In this project NIST test forensic tools and after
a successful test they approved that for general use. Below is the list of
approved forensic tools. This list is updated last in June, 2015.
·
Disk Imaging:
* Tableau
TD3 Forensic Imager 1.3.0
*
MacQuisition 2013R2
* Paladin
4.0
* DCFLDD
1.3.4-1
* X-Ways
Forensics 16.2 SR-5
* Image
MASSter Solo-4 Forensic
* IXImager
v3.0.nov.12.12
* Fast Disk
Acquisition System (FDAS) 2.0.2
* FTK
Imager CLI 2.9.0 Debian
* Paladin
3.0
* Paladin
2.06
* X-Ways
Forensic 14.8
* ASR Data
SMART version 2010-11-03
* VOOM
HardCopy 3P – Firmware Version 2-04
* Imager
MASSter Solo-3 Forensics, Software Version 2.0.10.23f
* Tableau
TD1 Forensic Duplicator, Firmware Version 2.34 Feb. 17, 2011
* Tableau
Imager (TIM) Version 1.11
*
SubRosaSoft MacForensics Lab 2.5.5
* Logicube
Forensic Talon Software Version 2.43
* BlackBag
MacQuisition 2.2
* EnCase
6.5
* EnCase
LinEn 6.01
* EnCase
5.05f
* FTK
Imager 2.5.3.14
* DCCIdd
(Version 2.0)
* EnCase
4.22a
* EnCase
LinEn 5.05f
* IXimager
(Version 2.0)
* dd
FreeBSD
* EnCase
3.20
* Safeback
2.18
* Safeback
(Sydex) 2.0
* dd GNU
fileutils 4.0.36
·
Forensic Media Preparation:
* dc3dd:
Version 7.0.0
* Image
MASSter Solo-4 Forensics, Software Version 4.2.63.0
* Tableau
TDW1 Drive Tool/Drive Wiper; Firmware Version 04/07/10
18:21:33
* Disk
Jockey PRO Forensic Edition (version 1.20)
* Drive
eRazer Pro SE Bundle 12/03/2009
* Tableau
Forensic Duplicator Model TD1 (Firmware Version 3.10)
* Logicube
Omniclone 2Xi
* Darik’s
Boot and Nuke 1.0.7
* Voom
HardCopy II (Model XLHCPL-2PD Version 1.11)
* WiebeTech
Drive eRazer: DRZR-2-VBND & Drive eRazer PRO Bundle
·
Write Block (Software):
* ACES
Writeblocker Windows 2000 V5.02.00
* ACES
Writeblocker Windows XP V6.10.0
* PDBLOCK
Version 1.02 (PDB_LITE)
* PDBLOCK
Version 2.00
* PDBLOCK
Version 2.10
* RCMP HDL
V0.4
* RCMP HDL
V0.5
* RCMP HDL
V0.7
* RCMP HDL
V0.8
·
Write Block (Hardware):
* T4
Forensic SCSI Bridge (FireWire Interface)
* T4
Forensic SCSI Bridge (USB Interface)
* Tableau
T8 Forensic USB Bridge (FireWire Interface)
* Tableau
T8 Forensic USB Bridge (USB Interface)
* FastBloc
FE (USB Interface)
* FastBloc
FE (FireWire Interface)
* Tableau
T5 Forensic IDE Bridge (USB Interface)
* Tableau
T5 Forensic IDE Bridge (FireWire Interface)
* Tableau
Forensic SATA Bridge T3u (USB Interface)
* Tableau
Forensic SATA Bridge T3u (FireWire Interface)
* Tableau
Forensic IDE Pocket Bridge T14 (FireWire Interface)
* WiebeTech
Forensic SATADock (FireWire Interface)
* WiebeTech
Forensic SATADock (USB Interface)
* WiebeTech
Forensic ComboDock (USB Interface)
* WiebeTech
Forensic ComboDock (FireWire Interface)
* WiebeTech
Bus Powered Forensic ComboDock (USB Interface)
* WiebeTech
Bus Powered Forensic ComboDock (FireWire Interface)
* Digital
Intelligence UltraBlock SATA (FireWire Interface)
* FastBloc
IDE (Firmware Version 16)
* MyKey
NoWrite (Firmware Version 1.05)
* ICS
ImageMasster DriveLock IDE (Firmware Version 17)
* WiebeTech
FireWire DriveDock Combo (FireWire Interface)
* Digital
Intelligence Firefly 800 IDE (FireWire Interface)
* Digital
Intelligence UltraBlock SATA (USB Interface)
·
Mobile Devices:
* Device
Seizure v6.8
* Lantern
v4.5.6
* EnCase
Smartphone Examiner v7.10.00.103
* Oxygen
Forensics Suite 2015 – Analyst v7.0.0.408
* Secure
View v3.16.4
*
viaExtract v2.5
* Mobile
Phone Examiner Plus v5.5.3.73
* iOS Crime
Lab v1.0.1
* UFED
Physical Analyzer v3.9.6.7
* XRY/XACT
v6.10.1
* EnCase
Smartphone Examiner v7.0
* Device
Seizure v5.0 build 4582.15907
* Lantern
v2.3
* Micro
Systemation XRY v6.3.1
* Secure
View 3v3.8.0
*
CelleBrite UFED 1.1.8.6 – Report Manager 1.8.3/UFED Physical
Analyzer
2.3.0
* Mobile
Phone Examiner Plus (MPE+) 4.6.0.2
* AFLogical
1.4
* Mobilyze
1.1
* iXAM
Version 1.5.6
*
Zdziarski’s Method
* WinMoFo
Version 2.2.38791
*
SecureView 2.1.0
* Device
Seizure 4.0
* XRY 5.0.2
*
CelleBrite UFED 1.1.3.3
* BitPim –
1.0.6 official
*
MOBILedit! Forensics 3.2.0.738
* Susteen
DataPilot Secure View 1.12.0
* Final
Data – Final Mobile Forensics 2.1.0.0313
* Paraben
Device Seizure 3.1
*
Cellebrite UFED 1.1.05
* Micro
Systemation .XRY 3.6
* Guidance
Software Neutrino 1.4.14
* Paraben
Device Seizure 2.1
* Susteen
DataPilot Secure View 1.8.0
·
Deleted File Recovery:
* ILooKIX
v2.2.3.151
* The
Sleuth Kit (TSK) 3.2.2 / Autopsy 2.24
* X-Ways
Forensics Version 16.0 SR-4
* SMART for
Linux Version 2011-02-02 (Revised)
* FTK
Version 3.3.0.33124
* EnCase
Version 6.18.0.59
·
Forensic File Carving:
·
Graphic File Carving:
* Adroit
Photo Forensics 2013 v3.1d
* EnCase
Forensic v6.18.0.59
* EnCase
Forensic v7.09.05
* FTK v4.1
* iLook
v2.2.7
* PhotoRec
v7.0-WIP
* Recover
My Files v5.2.1
* R-Studio
v6.2
* Scalpel
v2.0
* X-Ways
Forensics v17.6
·
Video File Carving:
* Defraser
v1.3
* EnCase
v7.09.05
* iLook
v.2.2.7
* Photo Rec
v7.0-WIP
* Recover
My Files v5.2.1
Encryption/Decryption
Tools for Labs
Cain
Abel: Password recovery for
Windows
SAMinside:
Password recovery for
Windows
John
The Ripper: Password recovery for
Windows
and Linux
Camouflage:
Digital steganography
Forensic Tool
Functionalities:
·
Cloud
Services
·
Deleted
File Recovery
·
Disk
Imaging
·
Email
Parsing
·
File
Carving
·
Forensics
Boot Environment
·
Forensic
Tool Suite (Mac Investigations)
·
Forensic
Tool Suite (Windows Investigations)
·
GPS
Forensics
·
Hardware
Write Block
·
Hash
Analysis
·
Image
Analysis (Graphics Files)
·
Infotainment
& Vehicle Forensics
·
Instant
Messenger
·
Media
Sanitization/Drive Re-use
·
Memory
Capture and Analysis
·
Mobile
Device Acquisition, Analysis and Triage
·
P2P
Analysis
·
Password
Recovery
·
Remote
Capabilities / Remote Forensics
·
Social
Media
·
Software
Write Block
·
Steganalysis
·
String
Search
·
Web
Browser Forensics
·
Windows
Registry Analysis
Open Source Forensic Tools with category:
Disk
tools and data capture
Name
|
From
|
Description
|
Arsenal Consulting
|
Mounts disk images as
complete disks in Windows, giving access to Volume Shadow Copies, etc.
|
|
MoonSols
|
Generates physical memory
dump of Windows machines, 32 bits 64 bit. Can run from a USB flash drive.
|
|
Guidance Software
|
Create EnCase evidence
files and EnCase logical evidence files
|
|
Magnet Forensics
|
Checks local physical
drives on a system for TrueCrypt, PGP, or Bitlocker encrypted volumes
|
|
4Discovery
|
Edit EWF (E01) meta data,
remove passwords (Encase v6 and earlier)
|
|
Ridgecrop
|
Enables large capacity
disks to be formatted as FAT32
|
|
Web Content Protection
Association
|
Browser designed to
forensically capture web pages
|
|
AccessData
|
Imaging tool, disk viewer
and image mounter
|
|
vogu00
|
Multi-threaded GUI imager
under running under Linux
|
|
Belkasoft
|
Extracts RAM dump
including that protected by an anti-debugging or anti-dumping system. 32 and
64 bit builds
|
|
Hjelmvik
|
Network analysis tool.
Detects OS, hostname and open ports of network hosts through packet
sniffing/PCAP parsing
|
|
Nmap
|
Utility for network
discovery and security auditing
|
|
Magnet Forensics
|
Captures physical memory
of a suspect’s computer. Windows XP to Windows 10, and 2003, 2008, 2012. 32
& 64 bit
|
|
Passmark Software
|
Boot utility for CD/DVD
or USB flash drives to create dd or AFF images/clones.
|
|
Passmark Software
|
Mounts a wide range of
disk images. Also allows creation of RAM disks
|
|
Wireshark
|
Network protocol capture
and analysis
|
|
Microsoft
|
Creates Virtual Hard
Disks versions of physical disks for use in Microsoft Virtual PC or Microsoft
Hyper-V VMs
|
Email
analysis
Name
|
From
|
Description
|
Lepide Software
|
Open and view (not
export) Outlook EDB files without an Exchange server
|
|
MiTeC
|
Viewer for Outlook
Express, Windows Mail/Windows Live Mail, Mozilla Thunderbird message
databases and single EML files
|
|
SysTools
|
View MBOX emails and attachments
|
|
Lepide Software
|
Open and view (not
export) Outlook OST files without connecting to an Exchange server
|
|
Lepide Software
|
Open and view (not
export) Outlook PST files without needing Outlook
|
General
Name
|
From
|
Description
|
Mythicsoft
|
Search multiple files
using Boolean operators and Perl Regex
|
|
NIST
|
Collated forensic images
for training, practice and validation
|
|
Nuix
|
Copies data between
locations, with file comparison, verification, logging
|
|
Shirouzu Hiroaki
|
Self labelled ‘fastest’
copy/delete Windows software. Can verify with SHA-1, etc.
|
|
Gary Kessler
|
Table of file signatures
|
|
Peter Fiskerstrand
|
Identifies over 1000 file
types by examining their signatures
|
|
Nirsoft
|
Calculate MD5 and SHA1
hashes
|
|
Mobatek
|
Run Linux live CDs from
their ISO image without having to boot to them
|
|
Arkane Systems
|
Automatically moves mouse
pointer stopping screen saver, hibernation etc.
|
|
Notepad ++
|
Advanced Notepad
replacement
|
|
NIST
|
Hash sets of ‘known’
(ignorable) files
|
|
Ted Technology
|
A Linux & Windows GUI
for individual and recursive SHA1 hashing of files
|
|
DSi
|
Enables software
write-blocking of USB ports
|
|
FH Aachen
|
Application that simplifies
the use of the Volatility Framework
|
|
Troy Larson
|
Guide by Brett Shavers to
creating and working with a Windows boot CD
|
File
and data analysis
Name
|
From
|
Description
|
Allan Hay
|
Reads Windows XP,Vista
and Windows 7 prefetch files
|
|
David Kovar
|
Parses the MFT from an NTFS
file system allowing results to be analysed with other tools
|
|
Eric Zimmerman
|
Find strings in binary
data, including regular expression searching.
|
|
Evolka
|
PCAP viewer
|
|
CrowdStike
|
Windows console
application to aid gathering of system information for incident response and
security engagements.
|
|
CrowdStrike
|
Details network
processes, listing binaries associated with each process. Queries VirusTotal,
other malware repositories & reputation services to produce “at-a-glance”
state of the system
|
|
Digital Detective
|
Converts various data
types to date/time values
|
|
Various
|
Detects full and partial
multimedia files in unallocated space
|
|
Ted Technology
|
Recursively parses
headers of every eCryptfs file in selected directory. Outputs encryption
algorithm used, original file size, signature used, etc.
|
|
Passware
|
Scans a computer for
password-protected & encrypted files, reports encryption complexity and
decryption options for each file
|
|
Phil Harvey
|
Read, write and edit Exif
data in a large number of file types
|
|
Toolsley.com
|
Drag and drop web-browser
JavaScript tool for identification of over 2000 file types
|
|
Sanderson Forensics
|
View various picture
formats, image enhancer, extraction of embedded Exif, GPS data
|
|
Alessandro Tanasi
|
In-depth analysis of
image (picture) files
|
|
Mandiant
|
Examine log files using
text, graphic or histogram views
|
|
4Discovery
|
Recursively parses
folders extracting 30+ attributes from Windows .lnk (shortcut) files
|
|
Nirsoft
|
View and export Windows
Live Messenger contact details
|
|
Eric Zimmerman
|
Prefetch Explorer
|
|
AppliedAlgo
|
||
EMC
|
Network packet capture
and analysis
|
|
Mandiant
|
Acquire and/or analyse
RAM images, including the page file on live systems
|
|
4Discovery
|
Recursively parses
folders to extract meta data from MS Office, OpenOffice and PDF files
|
|
Sanderson Forensics
|
Displays and decodes
contents of an extracted MFT file
|
|
Mike’s Forensic Tools
|
Lists EXIF, and where
available, GPS data for all photographs present in a directory. Export data
to .xls or Google Earth KML format
|
|
Microsoft
|
Suite of command-line
Windows utilities
|
|
Shadow Explorer
|
Browse and extract files
from shadow copies
|
|
Mrinal Kant, Tarakant
Tripathy
|
Firefox add-on enabling
viewing of any SQLite database
|
|
Microsoft
|
Command-line tool for
text searches
|
|
MiTec
|
View and manage MS OLE
Structured Storage based files
|
|
Mike’s Forensic Tools
|
Text
replacement/converter/decoder for when dealing with URL encoding, etc
|
|
MiTeC
|
Analyse thumbs.db,
Prefetch, INFO2 and .lnk files
|
|
Gianluca Costa &
Andrea De Franceschi
|
Network forensics
analysis tool
|
Mac
OS tools
Name
|
From
|
Description
|
Twocanoes Software
|
Audit Preference Pane and
Log Reader for OS X
|
|
Kyeongsik Lee
|
Parses keychain
structure, extracting user’s confidential information such as application
account/password, encrypted volume password (e.g. filevault), etc
|
|
Aaron Burghardt
|
Blocks the mounting of
file systems, complimenting a write blocker in disabling disk arbitration
|
|
Blackbag Technologies
|
Converts epoch times to
local time and UTC
|
|
AccessData
|
Command line Mac OS
version of AccessData’s FTK Imager
|
|
Blackbag Technologies
|
Lists items connected to
the computer (e.g., SATA, USB and FireWire Drives, software RAID sets). Can
locate partition information, including sizes, types, and the bus to which
the device is connected
|
|
Blackbag Technologies
|
Displays the physical
partitioning of the specified device. Can be used to map out all the drive
information, accounting for all used sectors
|
|
Kyeongsik Lee
|
Memory forensic toolkit
for Mac OS X
|
Mobile
devices
Name
|
From
|
Description
|
Mario Piccinelli
|
Explore iOS backups
|
|
Leo Crawford, Mat Proud
|
Explore the internal file
structure of Pad, iPod and iPhones
|
|
Robin Wood
|
Extracts phone model and
software version and created date and GPS data from iPhone videos.
|
|
Dan Roe
|
Parses physical flash
dumps and Nokia PM records to find details of previously inserted SIM cards.
|
|
CCL Forensics
|
Deconstructs Blackberry
.ipd backup files
|
|
SignalSEC Corp
|
Obtain SMS Messages, call
logs and contacts from Android devices
|
Data
analysis suites
Name
|
From
|
Description
|
Brian Carrier
|
Graphical interface to
the command line digital investigation analysis tools in The Sleuth Kit (see
below)
|
|
Backtrack
|
Penetration testing and
security audit with forensic boot capability
|
|
Nanni Bassetti
|
Linux based live CD,
featuring a number of analysis tools
|
|
Dr. Stefano Fratepietro
and others
|
Linux based live CD,
featuring a number of analysis tools
|
|
ArxSys
|
Analyses volumes, file systems,
user and applications data, extracting metadata, deleted and hidden items
|
|
Harlan Carvey
|
Automates ‘repetitive
tasks of data collection’. Fuller description here
|
|
Sumuri
|
Ubuntu based live boot CD
for imaging and analysis
|
|
SANS
|
VMware Appliance
pre-configured with multiple tools allowing digital forensic examinations
|
|
Brian Carrier
|
Collection of UNIX-based
command line file and volume system forensic analysis tools
|
|
Volatile Systems
|
Collection of tools for
the extraction of artefacts from RAM
|
File
viewers
Name
|
From
|
Description
|
SysTools
|
View (not save or export
from) contents of BKF backup files
|
|
SysTools
|
View (not save or export)
Loutus Notes DXL file emails and attachments
|
|
SysTools
|
View (not save or export
from) E01 files & view messages within EDB, PST & OST files
|
|
SysTools
|
View (not save or export)
MS SQL MDF files
|
|
SysTools
|
View (not save or export)
MSG file emails and attachments
|
|
SysTools
|
View (not save or export)
OLM file emails and attachments
|
|
Microsoft
|
View PowerPoint
presentations
|
|
Microsoft
|
View Visio diagrams
|
|
VideoLAN
|
View most multimedia
files and DVD, Audio CD, VCD, etc.
|
Internet
analysis
Name
|
From
|
Description
|
Foxton Software
|
Captures history from
Firefox, Chrome, Internet Explorer and Edge web browsers running on Windows
computers
|
|
Foxton Software
|
Extract, view and analyse
internet history from Firefox, Chrome, Internet Explorer and Edge web
browsers
|
|
CCL Forensics
|
Python module for
performing off-line parsing of Chrome session files (“Current Session”, “Last
Session”, “Current Tabs”, “Last Tabs”)
|
|
Nirsoft
|
Reads the cache folder of
Google Chrome Web browser, and displays the list of all files currently
stored in the cache
|
|
Mike’s Forensic Tools
|
Extracts embedded data
held within Google Analytics cookies. Shows search terms used as well as
dates of and the number of visits.
|
|
Busindre
|
Runs in Python 3.x,
extracting forensic information from Firefox, Iceweasel and Seamonkey
browsers. See manual for more information.
|
|
Belkasoft
|
Captures information
publicly available in Facebook profiles.
|
|
Nirsoft
|
Extracts various details
of Internet Explorer cookies
|
|
Nirsoft
|
Extract stored passwords
from Internet Explorer versions 4 to 8
|
|
Nirsoft
|
Reads the cache folder of
Firefox/Mozilla/Netscape Web browsers
|
|
Nirsoft
|
Parses the cookie folder
of Firefox/Mozilla/Netscape Web browsers
|
|
Nirsoft
|
Reads the history.dat of
Firefox/Mozilla/Netscape Web browsers, and displays the list of all visited
Web page
|
|
Nirsoft
|
Extracts search queries
made with popular search engines (Google, Yahoo and MSN) and social
networking sites (Twitter, Facebook, MySpace)
|
|
Nirsoft
|
Extracts the user names
and passwords stored by Mozilla Firefox Web browser
|
|
Nirsoft
|
Reads the cache folder of
Opera Web browser, and displays the list of all files currently stored in the
cache
|
|
Nirsoft
|
Decrypts the content of
the Opera Web browser password file, wand.dat
|
|
Mandiant
|
Reviews list of URLs
stored in the history files of the most commonly used browsers
|
|
Magnet Forensics
|
Takes list of URLs saving
scrolling captures of each page. Produces HTML report file containing the
saved pages
|
Registry
analysis
Name
|
From
|
Description
|
Eric Zimmerman
|
Dumps list of shimcache
entries showing which executables were run and their modification dates. Further
details.
|
|
Woanware
|
Extracts user information
from the SAM, SOFTWARE and SYSTEM hives files and decrypts the LM/NT hashes
from the SAM file
|
|
Microsoft
|
Examine Windows processes
and registry threads in real time
|
|
Eric Zimmerman
|
Command line access to
offline Registry hives. Supports simple & regular expression searches as
well as searching by last write timestamp. Further
details.
|
|
US National Institute of
Justice, Digital Forensics Solutions
|
For the acquisition,
analysis, and reporting of registry contents
|
|
Eric Zimmerman
|
Offline Registry viewer.
Provides deleted artefact recovery, value slack support, and robust
searching. Further
details.
|
|
Harlan Carvey
|
Registry data extraction
and correlation tool
|
|
Regshot
|
Takes snapshots of the
registry allowing comparisons e.g., show registry changes after installing
software
|
|
Eric Zimmerman
|
Presents visual
representation of what a user’s directory structure looked like. Additionally
exposes various timestamps (e.g., first explored, last explored for a given
folder. Further
details.
|
|
Woanware
|
Details previously
attached USB devices on exported registry hives
|
|
4Discovery
|
Displays 20+ attributes
relating to USB device use on Windows systems
|
|
Nirsoft
|
Details previously
attached USB devices
|
|
4Discovery
|
Extracts SID, User Names,
Indexes, Application Names, Run Counts, Session, and Last Run Time Attributes
from UserAssist keys
|
|
Didier Stevens
|
Displays list of programs
run, with run count and last run date and time
|
|
MiTec
|
Extracts configuration
settings and other information from the Registry
|
Application
analysis
Name
|
From
|
Description
|
Magnet Forensics
|
Decrypts the Dropbox
filecache.dbx file which stores information about files that have been synced
to the cloud using Dropbox
|
|
Magnet Forensics
|
Takes x,y,z coordinates
found in a tile filename and downloads surrounding tiles providing more
context
|
|
Sanderson Forensics
|
Extracts various data
from the KaZaA application
|
|
Nirsoft
|
View and export Windows
Live Messenger contact details
|
|
Nirsoft
|
View Skype calls and
chats
|
Challenges:
·
Technical
issues:
o
Encryption:
Encrypted data can be impossible to view without the correct key or password.
Examiners should consider that the key or password may be stored elsewhere on
the computer or on another computer which the suspect has had access to. It
could also reside in the volatile memory of a computer (known as RAM) which is
usually lost on computer shutdown; Another reason to consider using live
acquisition techniques, as outlined above.
o
Increasing
storage space: Storage media hold ever greater amounts of
data, which for the examiner means that their analysis computers need to have
sufficient processing power and available storage capacity to efficiently deal
with searching and analysing large amounts of data.
o
New
technologies: Computing is a continually evolving field,
with new hardware, software and operating systems emerging constantly. No
single computer forensic examiner can be an expert on all areas, though they
may frequently be expected to analyse something which they haven’t previously
encountered. In order to deal with this situation, the examiner should be
prepared and able to test and experiment with the behaviour of new
technologies. Networking and sharing knowledge with other computer forensic
examiners is very useful in this respect as it’s likely someone else has
already come across the same issue.
o
Anti-forensics:
Antiforensics is the practice of attempting to thwart
computer forensic analysis. This may include encryption,the overwriting of data
to make it unrecoverable, the modification of files’ metadata and file
obfuscation (disguising files).As with encryption, the evidence that such
methods have been used may be stored elsewhere on the computer or on another
computer which the suspect has had access to. In our experience, it is very
rare to see antiforensics tools used correctly and frequently enough to totally
obscure either their presence or the presence of the evidence that they were
used to hide.
·
Legal
issues: Legal issues may confuse or distract from a computer
examiner’s findings. An example here would be the ‘Trojan Defence’. A Trojan is
a piece of computer code disguised as something benign but which carries a
hidden and malicious purpose. Trojans have many uses, and include keylogging,
uploading and downloading of files and installation of viruses. A lawyer may be
able to argue that actions on a computer were not carried out by a user but
were automated by a Trojan without the user’s knowledge; such a Trojan Defence
has been successfully used even when no trace of a Trojan or other malicious
code was found on the suspect’s computer. In such cases, a competent opposing
lawyer, supplied with evidence from a competent computer forensic analyst,
should 0062e able to dismiss such an argument. A good examiner will have
identified and addressed possible arguments from the “opposition” while
carrying out the analysis and in writing their report.
·
Administrative
issues
o
Accepted
standards: There are a plethora of standards and guidelines in
computer forensics, few of which appear to be universally accepted. The reasons
for this include: standard setting bodies being tied to particular
legislations; standards being aimed either at law enforcement or commercial
forensics but not at both; the authors of such standards not being accepted by
their peers; or high joining fees for professional bodies dissuading
practitioners from participating.
o
Fit
to practice: In many jurisdictions there is no qualifying body to
check the competence and integrity of computer forensics professionals. In such
cases anyone may present themselves as a computer forensic expert, which may
result in computer forensic examinations of questionable quality and a negative
view of the profession as a whole.
Presenting as an evident in court:
The
court systems in the United States hold a pre-trial hearing to determine if the
scientific evidence to be presented in the trial has been gathered with
techniques and methodologies that are fundamentally sound, and produce reliable
results. This pretrial hearing, know as a Daubert hearing, uses four general
guidelines to evaluate the evidence gather procedure [9]:
1. Can the procedure be tested?
2. Is there a known error rate for the procedure?
3. Has the procedure been published and subject to peer
review?
4. Is the procedure generally accepted in the relevant
scientific community?
But currently in Bangladesh there is no such law which describes how to collect digital evident, what are the procedures of collection and many other specifications. Although there is a ICT law which describes which digital contents will be acceptable as a evident.
[1] Anderson, A.; Collie, B.; De Vel, O.; McKemmish, R.; and Mohay, G.;
“Computer and Intrusion Forensics”, Artech House, 2003.
[2] McKemmish, R.; “What is forensic computing”, Trends and Issues in
Crime and Criminal Justice, 118, 1999.
[3] Gong, Tony; and Gaertner, Mathias, “Case-Relevance Information
Investigation: Binding Computer Intelligence to the Current Computer
Forensic Framework”, in: International Journal of Digital Evidence,
Spring 2005, Volume 4, Issue 1.
[4] Yasinsac, Alex; Erbacher, Robert; Marks, Donald; Pollitt, Marc; and
Sommer, Peter; “Computer Forensics Education”, in: Forensics
Education, july/august 2003, pages 15 to 23.
[5] Francia, Guillermo; and Clinton, Keion; “Computer Forensics Laboratory
and Tools”, in: Journal of Computing Sciences in Colleges, Vol. 20, Issue
6, June 2005, pages 143-150.
[6] Kuchta, Kelly; “Computer Forensics Today”, in: Law, Investigations, and
Ethics, 2000, CRC Press LLC.
[7] Kathirvel, Ayyaswamy; and Srinivasan, R.; “Double Umpiring System
for Ad Hoc Wireless Mobile Network Security”; in The International
Journal of Forensic Computer Science (IJoFCS), 2010, Vol. 5, Number
1, pages 22-29, DOI: 10.5769/J201001003.
[8] Nogueira, José; and Celestino Júnior, Joaquim; “Autonomic Forensics a
New Frontier to Computer Crime Investigation Management”; in The
International Journal of Forensic Computer Science (IJoFCS), 2009,
Vol. 4, Number 1, pages 29-41, DOI: 10.5769/J200901003.
[9] Nogueira, José; and Vasconcelos, Wamberto; “Ontology for Complex
Mission Scenarios in Forensic Computing”, in The International
Journal of Forensic Computer Science (IJoFCS), Vol. 3, Number 1,
pages 42-50; DOI: 10.5769/J200801004.
[10] Milsan, Richard; “Creating laboratories for undergraduate courses in
mobile phone forensics”; In Proceedings of the 2010 ACM Conference
on Information technology Education, 2010, PAGES 111-116, ISBN:
978-1-4503-0343-9; DOI: 10.1145/1867651.1867680.
[11] Allen, W.H., “Computer Forensics”, IEEE Security & Privacy, IEEE, vol.
3, Issue 4, Pages 59-62, 2005,
[12] R. Oppliger and R. Rytz, "Does Trusted Computing Remedy Computer
Security Problems?" IEEE Security & Privacy, vol. 3, no. 2, Mar./Apr.,
2005, pp. 16-19.
[13] S.L. Garfinkel and A. Shelat, "Remembrance of Data Passed: A Study
of Disk Sanitization Practices," IEEE Security &, Privacy, vol. 1, no. 1,
2003, pp. 17-27
[14] Howard, Richard ; Thomas, Ralph; Burstein, Jeff; and Roxanna Bradescu,
“Cyber Fraud Trends and Mitigation”, in The International Journal of
Forensic Computer Science (IJoFCS), 2008, Vol. 3, Number 1, pages
9-24; DOI: 10.5769/J200801001.
[15] Cellebrite website at www.cellebrite.com.
[16] AccessData website at www.accessdata.com.
[17] Paraben website at www.paraben.com.
[18] Sleuthkit website at www.sleuthkit.org.
No comments:
Post a Comment